In order to secure access to a computing resource, such as an encryption key, a host computer typically requires a user to authenticate to the host before it provides access. A common authentication method requires the user to enter a password. Frequently the user enters the password into a keyboard that is physically connected to a client computer, which communicates with the host computer over a network. The keyboard can also be directly connected to the host. If the user enters the correct password, then the host grants access to the resource.
However this sort of scheme leaves the computing resource vulnerable, because the connection between the keyboard and the host is susceptible to eavesdropping. For example, a third party can monitor the connection with a sniffer or a network analyzer and be able to capture the password during transmission. The third party can then use the password to authenticate to the host and illegally gain access to the resource.
A more secure authentication scheme utilizes a hardware device, such as a token, that generates passcodes (e.g. one time passcodes or OTPs.) One time passcodes are passwords that authenticate a user to a host only a single time, enabling access to a computing resource only once. An OTP token typically generates a series of passcodes, in the example of a time-based tokens generating one new passcode every minute. The token does this with an algorithm that takes as input some data which varies, in the case of a time-based token, the current time on the token's internal clock, and a “seed” value which is programmed into the token at the time of manufacture. The token then displays the resulting output, the one time passcode, on an LCD display. The token updates the displayed passcode as needed by re-operating the algorithm with the new variable data. Those practiced in the art will recognize that there are a number of different one-time-passcode tokens and a number of different sources for the variable data. Examples of other one-time-passcode tokens include but are not limited to, event-based, counter-based, challenge-response-based, and time-based.
In the discussion above, the results of the one-time-passcode algorithm computation were displayed on the LCD display of the token. Not all tokens are required to have an LCD display. Some tokens can be directly connected to a host computer, while other tokens are not connected to a host computer and are typically a handheld device. A token which is connected to a host computer may be able to have the results of the one-time-passcode algorithm transmitted to the host computer, and therefore may not require an LCD display. This transmission could occur in a variety of ways, including but not limited to transmission over a USB connection, transmission over a serial connection, transmission over an wireless connection, and so on.
When the user wants to authenticate to the host computer using a connected token, the user physically connects the token to the host. The token then provides the passcode to the host via a digital data stream. Typically, the user also enters a PIN that only the user knows. The host has software that recognizes whether the passcode provided by the token at a particular authentication attempt is the correct one for that token at that time, and whether the PIN is also correct. If the user loses the token, a third party without knowledge of the PIN would not be able to authenticate. Similarly, a third party with knowledge of the PIN but without the token would be unable to guess what passcode the token would display at the time of the authentication attempt, and would not be able to authenticate.
Further, after a passcode is used once, it cannot be used again to authenticate to the host, even if it is used again during the minute that the passcode is valid. This helps to further secure the computing resource because a third party can no longer learn useful passwords by eavesdropping. If the third party discovers the passcode during its transmission to the host, they will not be able to later authenticate to the host by using it, because it has already been used once.